A War of Independence. The Cyber War
The 8th article in a series dedicated to my personal memories of events that are related to Russo-Ukrainian War, its new and active phase that started 24.02.2022. Check below for the rest of the articles.
Part 7. The Cyber War
The Hatred Towards the Invaders
“If you imagine a line from 0 to 100, where 0 is “getting the fuck out of here” and 100 “coming to slaughter the Russians”, I was at 0 a week ago” — my colleague from Solarisbank said. “Now, frankly speaking, I am at 50”. My friends felt the same way. Thing is, as time went by, several changes happened to the way Russian Army behaved. They started targeted bombing civilian districts and infrastructure. At this scale it could no longer be presented as an artillery miscalculation. These were acts of genocide, war led against all Ukrainians. Putin could no longer hide behind rhetoric of “liberating Russian-speaking population”. Because his army was shelling the Russian-speaking regions without mercy.
Kharkiv, 2nd most populated city in Ukraine was a city that I was afraid for in 2014. I was afraid it would engulf itself into chaos of “Russian world”, seen in Donetsk and Luhansk. It’s population was speaking Russian more than Ukrainian. Kharkiv still had its main street named after Vladimir Lenin. People of Kharkiv eagerly celebrated traditional Soviet holidays, 23rd of February (Defender of Motherland’s day) and 8th of March (International Women’s day). The city had a lot of Orthodox churches belonging to Moscow patriarchy. Kharkiv had a pro-Russian major. It was a clear candidate for false-flag operations performed by sabotage reconnaissance groups.
Surprisingly, it was shelled by artillery and bombed by airplanes mercilessly instead, for weeks. Women were giving birth in metro and bomb shelters, as the sirens switched on and off all the time. Universities, schools, kindergartens, hospitals, tram depots, residential areas, factories, business centers, malls, experimental nuclear reactors, historical buildings that survived World War 2 — everything was targeted, bombed, destroyed, burned, explosions were ever-present. I cannot imagine how my numerous colleagues from Kharkiv have felt.
To add insult to injury, Russian media tried to twist things around to blame Ukrainian military in air raids and shelling of their own citizens, just as they blamed our army for shelling Donetsk before. However, it is difficult to pull that trick the second time, due to the open-source intelligence efforts. Skilled enthusiasts debunk those Russian propaganda claims and prove based on publicly available evidence that the munitions were launched on Kharkiv from north-east direction, which is the direction of Russian border.
I could go on and on to make this article a 10-hours read. I could tell you about smaller towns near Kharkiv, about surrounded Chernihiv, about Sumy and Okhtyrka, where I spent time with my best university friend, about Irpin, Bucha and Hostomel, where I and Kate considered buying a townhouse to live a more calm life among newly built residential areas filled with kids’ laughter and young families, about Enerhodar, a town serving the largest nuclear power plant in Europe, about defiant Kherson and Mykolaiv. I still cannot start writing about heroic and valiant Mariupol, a city of over 400 000 people, staying encircled by Russian forces for weeks without supplies, heat, water, electricity, food and communication, shelled on a daily basis… I think every Ukrainian understood at this point what is an essence of “Russian world”: it meant extermination of independent nations with neither rules nor boundaries.
Disclaimer
I was busy writing articles and posting on LinkedIn and Facebook since I arrived at my place of refuge. What I am about to write below is based on the information I received from my peers: friends and acquaintances. It describes events that might or might not have happened in reality as though they have happened. The article is narrated from first person (using “I” and “we” rather than “he/she” or “they”) to increase immersion and to keep the narration style intact.
Early Cyber War
There are over 250 000 of IT specialists in Ukraine. I am one of them. What do you think our response would be, seeing our homes turned to ashes and our fellow citizens murdered? Few of us are firearms experts with enough experience to join either territorial defense or Ukrainian Armed Forces. However, we know a thing or two about coding. So we decided to strike back using our skills on a cyber front.
After Anonymous group declared cyber war on Russia, I decided to tag along and see what I could do. First we organised in small groups of enthusiasts in Telegram. Websites like “crypto shark pro trading” were swiftly repurposed without hesitation to provide instructions for newcomers. Inside the groups the initial information related to setup and configs to use for DoS attacks was spread. Docker containers were created and shared to ensure new members have lightning-fast access to pre-configured tools. Swiftly modified custom python scripts were released to the broader audiences.
Many GitHub links were shared to various tools, some of them — used to ban telegram accounts and botnets. Thing is, traitors favored using telegram channels to coordinate artillery strikes on Ukrainian cities. They were a large threat, betraying fellow citizens by providing coordinates for bombing for less than $1.500.
VPN
Clearly, the attacks had to originate from Russian servers (certainly not from Ukrainian IPs), otherwise it would be too easy to block them via geolocation of the IPs. The VPN setup issue stopped me personally for some time. The VPN provider that I was looking for needed to be:
- Linux-compatible
- Having multiple IP addresses in Russia (to be able to switch IPs to avoid bans)
- Cheap (free?)
There were not many of those around the market. The supply of viable VPNs was better for Mac OS, for instance — TouchVPN, ClearVPN. ClearVPN is free for Ukrainians using a promo code released by its creator, MacPaw, a Ukrainian-based IT product company. I certainly appreciated the gesture, although I couldn’t benefit from it: my work laptop running MacOS was strictly off-limits both legally and in terms of cyber security. But other IT enthusiasts gladly used it on their own, private laptops.
After some time, credentials for a paid version of ProtonVPN were spread across the network: somebody paid around $90 for a yearly subscription (plus) and shared the credentials among us. Clearly we didn’t pay too much attention to defensive countermeasures.
Retaliation Strikes
After several attempts, one of my colleagues reported problems with his Mac laptop. The laptop was prompting for password change, the processes were shutting down on their own. I advised to switch off the laptop: it is impossible to attack an offline piece of equipment.
We knew the risks. Everyone was advised to monitor their laptops and act swiftly in response to retaliation strikes by people who actually knew what they were doing. Many in our group did not know too much about hacking: we were the ones creating programs, not the ones who attempted to break them, so we asked everyone who notices suspicious activity to simply stop and switch off.
Tools, tools, tools
After trying out several of the tools, I noticed that transparency and verbosity were a little bit lacking. It was unclear how to compare tools and to understand which ones are more successful than the others, not with the logging available. Many new tools appeared on radar every day — it seemed like we needed a dedicated person just for the tools comparison. Other members were busy researching cloud DDoS capabilities on popular cloud vendor platforms, as their internet connection was not that stable to be effective. They had their share of success right till an imminent (like Mr. Biden would say) suspension of their cloud accounts. These were not work accounts, of course.
I didn’t struggle with the problem of tools too much: new and more powerful ones arrived, developed by experienced DevOps acquaintances. These were brutal things and I would not even like to describe their principles of work. I think I need to consult with a lawyer first. Anyway, these tools were capable of dealing with highly resilient targets: local search engines (e.g. Yandex), large banks (e.g. Sberbank) and other protected ones.
Nation-wide Cyber Resistance
Soon, a group having 100k+ members appeared in Telegram, popularized by representatives of Ukrainian government. Many IT specialists from Ukraine joined it. It was a voluntary group that received instructions and targets from the government directly and assisted in cyber ops. Some of their later instructions contained similar principles of attack for the highly resilient targets (but they used different tools). However, the orders were not coordinated too well (in my opinion). They were released without a timestamp for execution. Therefore we continued to coordinate with smaller, more organized groups to time our attacks and start them simultaneously.
The websites that were targets varied: government services, state-owned companies, largest banks, search engines, military corporations, stock exchanges — it was a Wild West, basically. We attacked every website that could serve Russian invasion: directly or indirectly, but strictly of Russian origin. There was enough info released on targets and tools to enable people with limited IT knowledge to join the attacks.
Russian media reported that the scale of the attacks that happened was only achievable by “the largest cyber-countries of the world: Russia, China and the US”. We were laughing at the news. Almost everyone who had time, internet, computer and some IT skills joined the cyber war. I personally think that Putin and all the Russians in general underestimate just how powerful can enthusiastic people become, if they are driven by a common goal. And that goal now was clear for every Ukrainian.
The Conclusion
Frederick the Great once said: “He who defends everything defends nothing”. I don’t think that DoS attacks did some substantial damage at the beginning of Cyber War. Rather, they created distraction and mobilized attention of DevOps in the wrong direction. Among the successes of real cyber operations happening covertly, I have witnessed displacement of video content on Russian TV channels by videos of war. Also I have seen a large database of credit cards emitted by Russian banks (along with CVV their codes) and a database of all users of Yandex food (and several other databases) uploaded to open source. We didn’t act upon any of them: I don’t think it is moral to donate money of a random Russian citizen to Ukrainian Armed Forces account, as these funds might as well be the last hope for survival for some grandma in godforsaken town in Siberia. And we couldn’t come up with a good way of using Yandex food database, except for sending these people messages of what is really going on here using e-mail or Telegram (via phone number). However, at that point we could not find a website providing concentrated information on atrocities that happened in war and we knew we would likely be blocked straight away. We abandoned the idea.
Cyber attacks continue right now as I write those lines, but not by our group. Eventually we switched to other tasks. Most of us went back to our revenue-generating activities: developing software for the western world. Our country seems to be in need of foreign currency inflow at the moment and we, IT folks are among those who can provide it. Besides, it’s good to have some income to be able to directly buy some bulletproof vests, helmets and night vision devices for our acquaintances on the front lines. Some of us switched to debunking fakes in social media, reporting false comments and telegram channels used to provide intel for Russian army. Some switched to volunteering and helping to organize the broken and chaotic supply chains. I switched to writing texts in English, trying to reach the wider audience with tales of what is really going on here. The Cyber War was over for us, but war effort continued.
The war effort continues now, and if you feel like supporting Ukrainians in a real and concrete way, please visit:
Series:
Part 0. Historical Context. The European Choice
Part 7. The Cyber War
